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(54) Method for permitting debugging and testing of software on an mobile communication 
device in a secure environment 



(57) A developer (102) develops a software applica- 
tion (204) which needs to be tested or debugged, or 
both. To eliminate the need to either intentionally com- 
promise the security environment of the target portable 
device, or having to request a certificate for each version 
of the software under development, the developer ob- 
tains a development certificate (208). The development 
certificate includes a device identifier unique to the par- 
ticular portable device on which the software is to be 
tested, and some development parameter. The target 



device uses these two pieces of data to determine if the 
software is valid, and executable. If either of these piec- 
es of data are not valid, the security mechanism of the 
target device will disable the software, or otherwise 
refuse to permit it to execute. The developer signs the 
software with the development certificate, and then 
loads the signed software onto the target device, which 
then authenticates the developer's signature and devel- 
opment certificate. 
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Description 
Technical Field 

[0001] This invention relates in general to software 
authentication for mobile communication devices, and 
more particularly to debugging and testing software ap- 
plication code in a secure environment. 

Background of the Invention 

[0002] Mobile communication devices are in wide- 
spread use, particularly in metropolitan areas. Tradition- 
ally these devices have been used for voice communi- 
cation, but as computing power becomes more afford- 
able, these devices are evolving. Already there are mo- 
bile communication devices that are capable of brows- 
ing information on the Internet with a "microbrowser". 
Content providers and web site operators are providing 
content specifically for these devices in a format that is 
readable by the microbrowser. Furthermore, micro- 
browsers are becoming more sophisticated, and are ca- 
pable of executing portable code, such as JAVA applets. 
As a result, parties other than the manufacturer of the 
mobile communication device have the ability to devel- 
op software to be executed by the mobile communica- 
tion device. This presents a few problems. 
[0003] As with more conventional desktop or personal 
computer platforms, the mobile communication device 
is susceptible to poorly designed code, or worse, code 
designed to accomplish some malicious purpose. To 
prevent problems associated with such code, a security 
scheme has been adopted similar to that used by per- 
sonal computers. The mobile communication device is 
provided with a root key, which may be, for example, the 
public key of a trusted authority which is part of a public 
key infrastructure. There are companies which special- 
ize in this service, and perform verification services so 
that a developer can distribute their software in a man- 
ner in which those who download the software can be 
assured that the code is authentic, and has not been 
altered. It would be preferable to have this security fea- 
ture active all the time, this has presented a problem 
with developers because they frequently test many ver- 
sions of the code during development, and having to ob- 
tain certificates for each incremental version impedes 
the efficiency of the development process. 
[0004] Presently there are two conventional solutions 
to this problem. One is the use of a mobile communica- 
tion device with a special software load for developers 
in which the security has been disabled. This is unde- 
sirable because the device is then not representative of 
an actual users device. It is preferable to have an envi- 
ronment representative of the target device to facilitate 
debugging and development. Another conventional so- 
lution is to allow the security to be disabled. This might 
require a special sequence of buttons to enable or dis- 
able. However, this gives the ability of anyone who 



knows how the ability to disable the security. Since mo- 
bile communication devices use a shared resource, a 
flawed or maliciously designed software application 
could affect many other users. Therefore there is a need 
5 for a security scheme that is always active, yet allows 
flexibility for developers without unduly hindering devel- 
opment efforts. 

Brief Description of The Drawings 

10 

[0005] 

FIG. 1 shows a block diagram of a wireless commu- 
nication system interfaced with the Internet, in ac- 
15 cordance with the invention; 

FIG. 2 shows a block diagram of a mobile commu- 
nication device and associated software security ar- 
chitecture; and 

FIG. 3 shows a sequence chart for downloading an 
20 application signed with a debug certificate, in ac- 
cordance with the invention. 

Detailed Description of a Preferred Embodiment 

25 [0006] While the specification concludes with claims 
defining the features of the invention that are regarded 
as novel, it is believed that the invention will be better 
understood from a consideration of the following de- 
scription in conjunction with the drawing figures, in 

30 which like reference numerals are carried forward. A 
brief description of the prior art is also thought to be use- 
ful. 

[0007] The invention solves the problem of testing 
and debugging code in a mobile communication device 

35 working on a live system and having a secure environ- 
ment by eliminating the need to generate a new certifi- 
cate with every version or build of code to be tested. 
Instead, the present invention provides a way of gener- 
ating a multi-use certificate that a code developer can 

40 use to sign different versions or builds of code, and have 
them properly authenticated, without generating a new 
certificate for each new version or build of code to be 
tested. The present invention accomplishes this by use 
of a new class of certificate referred to as a development 

45 certificate. The development certificate specifies the 
machine it is to be used with, such as by specifying the 
international mobile equipment identifier of a mobile 
communication device, for example, and specifying a 
development parameter. The development parameter 

50 can specify the time period of use, the number of uses, 
and so on. Using the newly developed type of certificate, 
a developer can specify the particular mobile communi- 
cation device on which the code is to be tested, obtain 
a development certificate from a public key infrastruc- 

55 ture provider such as a certificate authority, and test sev- 
eral versions of the code being developed, on a live sys- 
tem, with device which has the same security environ- 
ment as one sold into retail channels. 
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[0008] Referring now to FIG. 1 , there is shown therein 
a block diagram 100 of a wireless communication sys- 
tem connected to the Internet, in accordance with the 
invention. A software developer's office 102, of a devel- 
oper which desires to develop a software application or 
other code for use in a mobile communication device 
104, includes the mobile communication device 104, a 
server 106 and preferably a local computer 108. The 
mobile communication device 104, is, for example, a 
mobile radio telephone ora cellulartelephone, andcom- 
municates with mobile or wireless infrastructure equip- 
ment 110. The mobile communication device contains 
certain computer resources such as scratch pad mem- 
ory (random access), non-volatile storage, operating 
system software, other application processing code, 
means for transmitting and receiving radio signals, pow- 
er source means, user interface and ergonomic soft- 
ware layers, and display means and keypad means for 
displaying and entering information, respectively, 
among other computer resources. In the non-volatile 
memory there is stored a device identifier, such as an 
international mobile equipment identifier (IMEI) as is 
well known in the art, and a root key for authenticating 
code developed by third parties. The mobile communi- 
cation device further comprises wireless network inter- 
face means, such as that used to establish and maintain 
packet data communication, and content browsing 
means such as a microbrowser for browsing content on 
the Internet. With the browsing means there is included 
a security means, in software, for preventing unauthor- 
ized access to protected computing resources, such as, 
for example, a Java or virtual machine software execu- 
tion environment. 

[0009] The wireless Infrastructure 110 includes a 
base station 112, and typically a plurality of such base 
stations, for establishing serving cells within the vicinity 
of each such base station, as is well known in the art. 
Each such base station is operatively coupled to a mo- 
bile switching center (MSC) 114, and other switching 
equipment included therein. The MSC facilitates tele- 
phone interconnect calling and is operatively coupled to 
a public switched telephone network (PSTN) 115. The 
MSC or related equipment is also operatively coupled 
to a wide area public network, such as the Internet 116. 
Typically the link between the mobile infrastructure 
equipment and the wide area public network is a stand- 
ard transport link, and uses, for example, TCP/IP, as is 
common, and uses a gateway located at the MSC, as 
is know in the art. Various equivalent arrangements exist 
for coupling the wireless infrastructure to networks to fa- 
cilitate use of those networks by the mobile communi- 
cation device. 

[0010] To facilitate security operations in the mobile 
communication device 104, a public key infrastructure 
service provider has a machine or server 1 1 8 operative- 
ly coupled to the Internet, and is such that other ma- 
chines operatively coupled to the Internet can transact 
with the server 118. Generally, such service providers 



provide encryption technologies such as public keys 
and authentication services including digital encryption 
certificates and code signing services for use by soft- 
ware and code developers. Such products and services 
5 are used by target devices to verify the authenticity of 
software and code obtained over public networks. 
These services are presently in widespread use, and 
provided by companies such as Verisign, Inc., which can 
be found on the Internet with the uniform resource loca- 

10 tor (URL)of www.verisign.com. Preferably, included at 
the public key infrastructure service provider is a certif- 
icate authority server 120 and a code signing server 
122. These are also transactable with other machines 
over the public network. 

is [001 1 ] A secure time server 1 24 is also provided, and 
operatively coupled to the public network. Other ma- 
chines transact with the secure time server to obtain au- 
thentic time stamps or readings, or both. In other words, 
when a machine coupled to the public network needs to 

20 verify the present time, it sends a request to the secure 
time server for the present time, which may include the 
present date. The time server then responds by sending 
an encrypted time reading back to the requesting ma- 
chine. The requesting machine then decrypts the time 

25 reading using a public key of the time server, which has 
been previously provided to the requesting machine. In 
some instances the secure time server may be included 
with, and operated by the public key infrastructure serv- 
ice provider, and coupled to the server 118. In which 

30 case the public key for the time server could be the same 
as that of the public key infrastructure service provider. 
Such time servers are known in the art. 
[0012] FIG. 2 shows a block diagram of a mobile com- 
munication device's associated software security archl- 

35 tecture 200. The mobile communication device under 
consideration here is one used by a code developer to 
test and debug software and code developed by the de- 
veloper. A software or code package 202 is obtained by 
the mobile communication device, and is meant to be 

^0 installed in the mobile communication device. The soft- 
ware package includes the executable code 204, a de- 
scriptorfile 206, and a development certificate 208. The 
development certificate, in accordance with the inven- 
tion, comprises a device identifier of the particular mo- 

45 bile communication device, which is unique to the par- 
ticular mobile communication device, and a develop- 
ment parameter. The development parameter is a pa- 
rameter chosen by the developer to indicate under what 
conditions the development certificate is valid. For ex- 

50 ample, the development parameter may be a limited pe- 
riod of time, a preselected number of instantiations of 
the code to be tested, the number of versions which may 
be tested under the development certificate, and so on. 
It is also specifically contemplated that the development 

55 parameter may include a download counter or counter 
value to control the number of times the software appli- 
cation may be downloaded and installed into the ma- 
chine. In the course of development, several slightly dif- 
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ferent versions may be tested. The development certif- 
icate is created in accordance with the method of the 
invention described hereinbelow. The mobile communi- 
cation device comprises a software execution environ- 
ment 210, including a security manager, a security do- 
main, and resources 216 including physical, software, 
and data resources. The security manager is a software 
layer that assigns permissions to code that is installed 
into the mobile communication device, and either allows 
or denies use of resources by code that is installed. If a 
code segment or application does not have appropriate 
certification, the security manager denies use of all re- 
sources to prevent corruption of the resources or code 
being executed. The security domain is the set of re- 
sources which a particular code segment or application 
is allowed to access. The security domain may therefore 
be different for different applications, depending on 
which resources the application needs access to, and 
whether or not the application is properly authenticated 
with, for example, public key cryptography. The security 
domain necessary to properly execute the application is 
provided in the software code package 202 in a security 
policy described in the descriptor file 206. Once the soft- 
ware package is authenticated, the security manager 
can set the permissions appropriately, in accordance 
with the security policy 

[0013] The software package 202 of FIG. 2 is gener- 
ated, loaded, authenticated, and installed as described 
in FIG. 3, which shows a sequence chart 300 for down- 
loading an application signed with a debug certificate, 
in accordance with the invention. The four main entities 
involved are the developer 302, a public key infrastruc- 
ture (PKI) server 304, the mobile communication device 
306, and optionally a time server 308. The procedures 
described herein include both a method for testing soft- 
ware on a portable device, and a method for permitting 
debugging and testing of software on a mobile commu- 
nication device. 

[0014] The process starts at the developer 302, who 
generates code (31 0) that needs to be tested and or de- 
bugged. The code is typically developed on a general 
purpose computer or workstation, such as that indicated 
in FIG. 1 as a local computer 108. When the developer 
is ready to load the code, which may be an application 
or some other software entity, the developer sends or 
otherwise transmits a request (312) for a development 
certificate to the PKI server 304. The PKI server is op- 
erated and controlled by a public certificate authority. 
The request includes a device identifier which is a 
unique identifier of the particular portable device or mo- 
bile communication device on which the code will be 
loaded and tested, and a developer's identif ier to permit 
authentication of the developer. The request also in- 
cludes a development parameter and the developers 
digital identification. The development parameter is in- 
cluded to limit the validity of the development certificate. 
The PKI server authenticates the request (314) by, for 
example, authenticating the digital signature of the de- 



veloper. Upon successfully authenticating the develop- 
er's request, the PKI server creates the development 
certificate. The development certificate includes the de- 
vice identifier and the development parameter. These 
5 data entities are made secure with appropriate crypto- 
graphic techniques such as one way hashes, for exam- 
ple. 

[001 5] Once the development certificate is generated, 
the public certificate authority's PKI server sends or 
10 transmits it back to the developer, who receives it at their 
office (31 8). The developer then signs the code or soft- 
ware application to be tested with the development cer- 
tificate (320), thereby providing a signed software appli- 
cation. Typically the software will be in an archive for- 
15 mat, such as a Java archive, or JAR file, with the appli- 
cation itself being in byte code for portability among plat- 
forms. The signed software application is then loaded 
onto a server (322), such as the developer's server 106 
of FIG. 1 . At this point the mobile communication device 
20 js ready to load the software. This can be done in by one 
of two ways, either use if a cable between the computer 
on which the signed software application resides, or 
over the air. Loading the signed software application 
(324) can be initiated by either the target mobile com- 
25 munication device, or by the developer if desired. Once 
the mobile communication device receives the signed 
software application, it decrypts the certificate (326) and 
commences authenticating the developer's signature 
(328. 330), including verifying the device identifier. If the 
30 device identifier does not match the device identifier of 
the mobile communication device, the software pack- 
age may be discarded. The authentication is done over 
the air interface using a network connection and the 
gateway for the wireless system Infrastructure 110. If the 
35 development parameter specifies a time period of valid- 
ity, the mobile communication device can then the mo- 
bile communication device requests a signed time read- 
ing (332) from a trusted time server, which sends back 
a (334) signed or stamped time reading. The mobile 
40 communication device then verifies the time reading 
(336). The mobile communication device also creates 
and stores a hash of the development parameter (338) 
for use with subsequently loaded versions of the soft- 
ware. This hash is stored in non volatile memory. The 
45 security permissions are then set according to the de- 
scriptor file 206, and the application can then be in- 
stalled. The development parameter used is a number 
of times the code may be executed, each time the code 
is called, it will increment a count of the number of times 
so it has been called, keep this count in a cryptograph ically 
secure format in the mobile communication device's 
non-volatile memory, and check it each time the soft- 
ware is called to determine if the software can still be 
used. The same is true for other development parame- 
55 ters that may be used such as validity period, for exam- 
ple. Each time the software is called, the development 
parameters are checked against the present condition 
of those parameters to determine if the development 
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certificate is still valid. If not, then execution of the soft- 
ware is immediately aborted. Therefore, execution of 
the software commences only if the device identifier of 
the development certificate matches the device identifi- 
er of the portable device or mobile communication de- 
vice, and the development parameter is likewise valid. 
The invention Turther embodies a method of generating 
a development certificate for use in testing a software 
application in a mobile communication device. The 
method comprises receiving, at a public certificate au- 
thority, request from a developer for a development cer- 
tificate. The request will include a device identifier and 
a development parameter, and is signed with, for exam- 
ple, the public key of the developer. The public certificate 
authority then generates the development certificate, 
and includes the device identifier and development pa- 
rameter. 

[0016] Thus, the problem of the developer having to 
request a certificate for each incremental version of a 
software entity, for testing and/or debugging, is obviated 
by use of the development certificate which is reusable 
for as many versions as the developer wants, for a pe- 
riod of time, or for a predetermined number of instanti- 
ations of the code in the executable environment of the 
portable device or mobile communication device, or a 
combination of several such parameters. The developer 
can reuse the same development certificate for different 
versions of the software to be tested, and it will be in- 
stalled and executed by the target device so long as the 
device identifier and development parameter are valid. 
This facilitates rapid development while maintaining the 
security measures of the software environment in the 
portable device. The process makes use of a develop- 
ment parameter or parameters, in conjunction with 
specifying a unique identifier of the portable device, and 
cryptographic techniques used for authentication and 
monitoring the usage of the software by the portable de- 
vice. The portable device itself maintains certain varia- 
bles to keep track of the use and instantiations of the 
software, when needed, to determine whether or not fur- 
ther execution is permitted. While the preferred embod- 
iments of the invention have been illustrated and de- 
scribed, it will be clear that the invention is not so limited. 
Numerous modifications, changes, variations, substitu- 
tions and equivalents will occur to those skilled in the 
art without departing from the spirit and scope of the 
present invention as defined by the appended claims. 



Claims 



A method for testing software in a portable device 
having a secure software environment, the device 
having a device identifier and a root key of a public 
certificate authority, the method comprising: 

sending a request for a development certificate 
to the public certificate authority, the request in- 
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eluding the device identifier and being signed 
with a developer's certificate including a devel- 
oper identifier, the sending performed by a soft- 
ware developer; 

receiving the development certificate at the 
software developer, the development certifi- 
cate specifying the developer identifier, a de- 
velopment parameter and the device identifier; 
signing a software application to be tested in 
the portable device with the development cer- 
tificate, thereby providing a signed software ap- 
plication; 

loading the signed software application onto 
the portable device; 

authenticating the development certificate with 
the public certificate authority, performed by the 
portable device; 

executing the software application only if the 
device identifier of the development certificate 
matches the device identifier of the portable de- 
vice, and the development parameter is valid. 

A method for testing software in a portable device 
as defined by claim 1 , wherein the development pa- 
rameter includes a validity period, the authenticat- 
ing includes authenticating the validity period. 

A method for testing software in a portable device 
as defined by claim 1 , wherein the development pa- 
rameter includes a download counter, the authenti- 
cating includes determining if the download counter 
has been exceeded. 

A method for testing software in a portable device 
as defined by claim 1, wherein the loading is per- 
formed over an air interface between the portable 
device and a wireless communication system. 

A method for permitting debugging and testing of 
software on a mobile communication device having 
a secure software environment, the mobile commu- 
nication device having a device identifier, the meth- 
od comprising: 

generating a development certificate for the 
mobile communication device, the develop- 
ment certificate including the device identifier 
and a development parameter, the generating 
performed by a public certificate authority; 
signing a software application to be tested in 
the mobile communication device with the de- 
velopment certificate, thereby providing a 
signed software application; 
loading the signed software application onto 
the portable device; 

authenticating the development certificate with 
the public certificate authority, performed by the 
mobile communication device; and 
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executing the software application only if the 
device identifier of the development certificate 
matches the device identifier of the portable de- 
vice, and the development parameter is valid. 

5 

6. A method for testing software in a portable device 
as defined by claim 5, wherein the generating com- 
prises including a validity period for the develop- 
ment certificate in the development parameter, the 
authenticating includes authenticating the validity io 
period. 

7. A method for testing software in a portable device 
as defined by claim 5, wherein the generating com- 
prises including a time of day period for the devel- *5 
opment certificate in the development parameter, 

the authenticating includes authenticating the time 
of day. 

8. A method for testing software in a portable device 20 
as defined by claim 5, wherein the generating com- 
prises including a download counter for the devel- 
opment certificate in the development parameter, 

the authenticating includes determining if the down- 
load counter has been exceeded. 25 

9. A method for testing software in a portable device 
as defined by claim 5, wherein the loading is per- 
formed over an air interface between the portable 
device and a wireless communication system. 30 

10. A method for testing software in a portable device 
as defined by claim 5 wherein the generating com- 
prises generating the development certificate when 

the device identifier is an international mobile equip- 35 
ment identifier of the mobile communication device. 
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